Setting up an "isolated" subnet

Posted on 2007-10-18
Last Modified: 2012-05-05
I work at a university in a laboratory where our network is really dependant upon the universities network being up. One particular laboratory that we have has instruments that connect to a "box" that translates the instruments RS-232 signals to TCP/IP. That "box" has an ethernet cable that connect to a dataport which is behind a firewall. The firewall router is "managed" by our university IT at another location. We then have a Dell PowerEdge 2900 server in the lab that runs software to control the instruments through the "box".

We don't want these instruments to be dependant upon the university network being up...we had an experience where our firewall routers power was "accidentally" turned off and all our PC's in the lab began losing network access. What we would like to do is go directly from the "box" into the PowerEdge server without begin dependant upon the university's firewall router.

Seems like I should be able to connect our "box" directly into a router in the lab but I'm not so sure I know how to accomplish this. Can someone offer advice or point me to documentation on how best to set this up?
Question by:jb61264
    LVL 2

    Assisted Solution

    have you got a switch behind the firewall where your server and box connects to? If you have you could just put all the devices that you want isolated in a vlan that only exists on that switch and has no route out ot the rest of the network, that way if your router goes down, as long as the switch is still up they can all communicate, this does assume that the box and the server are the same subnet?
    LVL 63

    Expert Comment

    Depends o what is in the BOX ?

    It may simply be enough to disconnect it, after powering down, and connecting it to your router/ switch.

    You need documentation on the Box .

    I hope this helps !

    Author Comment

    I currently do not have a switch or router but we will be willing to purchase one...any recommendations on what to buy?

    The "box" is a custom built device that includes 8 moxa devices (each connects to one instrument we are controlling)...these 8 devices connect into one "gateway" box that ends in a single ethernet cable that is currently connected to a university network dataport.

    I'd basically like to come out of the "gateway" box with the ethernet cable and go into something (router?) that allows me to then directly go into the back of my PowerEdge 2900 server.

    jonmckinlay, I think you have the idea of what I'm trying to do...essentially I want to be completely isolated from the university's network but still be able to use the TCP/IP required to communicate with my lab instruments via TCP/IP
    LVL 25

    Accepted Solution

    Are you sure you want to be *completely* isolated from the U. network?  Then, presumably, you'd have no internet access or campus acces or .....

    I think you probably have two kinds of computers in the lab:
    1) those that need to be reached/seen from outside
    2) those that don't need to be seen from outside.

    I don't know how many of each there are so here is a simple, small lab setup:

    Get a simple commodity router that's used in homes and small offices.  

    (For the sake of making an example, I'm going to assume that the University network is on a private IP address range  i.e. to with 65,536 available addresses.
    So, we're going to choose a totally different private address range for the lab computers type #2.  Namely: with room for 254 computers or IP addresses.)

    Assign IP address range to the LAN side of the router.    Assign to the LAN port on the router.

    Assign an appropriate IP address to the WAN/Internet side of the router as a fixed IP address that matches what the University requires on the LAN side of your firewall - just like any of the type #1 computers.  In effect, the router will be one of those computers.

    Plug all of the #2 type computers into the LAN side of the router and use the router's DHCP / "Get IP address automatically" on the clients or assign all of the type #2 computers static IP addresses in the 172.... range.  The router's LAN port address will be the "gateway" for all of these computers.

    Plug all of the #1 type computers into the firewall as now.  In general, these computers won't be able to "see" any of the type #2 computers unless you add a route to each of them like this:

    route add -p mask
    where is the WAN IP address of the router.

    This tells the #1 computers that they can reach the lab subnet computers by sending them to the router.

    In turn, the lab computers' router will send packets destined for the type #1 computers to the router and, from the router will go directly to any of those computers.

    In general, the lab computers will be able to reach the university network but not the reverse except for responses coming back to them.  More to that story in another chapter.....

    Now, if you want the #1 computers to continue to be able to communicate with one another when the firewall is down, then do this:

    Buy a simple switch with as many ports as there are computers/ router above / plus one.  Plug all the type #1 computers into the switch.  Plug the added router into the switch.  Plug the firewall into the switch with one cable.

    Now all the type #1 computers can "see" each other even when the firewall is turned off.  

    Maybe all you have are type #1 computers really - then you don't need the added router.  It came about when you said "isolate" ...... but maybe all you meant was "be independent".


    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
    As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now